What You Need to Know About Cyber Security Penetration Testing for Your Law Firm

For any SME or large company, it is all too easy to be lulled into a false sense of cyber security.  You may have a dedicated cyber team in place, a clear and well-communicated cyber strategy, and policies and procedures in place to protect your business.  But unless you are pen testing a) continually and b) at each level of technological vulnerability, you really can’t be sure that you are safe.

Rather like a burglar who will ignore homes with security and look for those with open windows, or unlocked doors, cyber criminals will take advantage of the smallest of vulnerability to steal or cause damage to your business.

In this article, we will explain why penetration testing (‘pen testing’) must be an ongoing process, the types of testing involved, how you can be sure you have enough pen testing in place, and how you can implement the resources and skills needed.  Thankfully, according to cyber specialists, Lares, the vast majority (~95%) of pen testing issues can be resolved with straightforward fixes; and you can be sure, those are the vulnerabilities which most cyber criminals will leverage.  As such, there is really no excuse for not doing so.

What are the levels of pen testing you need to consider?

When many think of pen testing, they tend to only consider attacks from the outside of your network, whether in another town, city, or country.  In practice, there are many other facets of business technology which could be vulnerable to attack.

External network testing

External network testing is designed to ensure that anyone external to your external network/firewall is unable to carry out malicious acts by exploiting gaps in your defences.  For example, attempting to see if a virus or other malicious code can breach your defences, or seeing what would happen in an attempted Distributed Denial of Service attack (DDoS) whereby an attacker will attempt to overwhelm your network with so much network traffic that your systems cannot respond to legitimate requests.

Internal network testing

Often overlooked is the need to test internal network vulnerabilities from anyone who has been able to get past your organisation’s external network defences – physically or virtually.  This may be through a remote VPN connection, a disgruntled employee, or a criminal acting as an employee or contractor who has gained trusted network privileges.

Increasingly, internal networks are being breached by criminals using wi-fi.  They achieve this by physically locating themselves close to an office location and then taking advantage of known vulnerabilities in protocols such as the WPA standard to ‘listen’ into network activity.

A new phenomenon is also causing considerable challenges for pen testers, that of ‘Warshipping’.  In this scenario, cyber criminals will send a small electronic device (actually a small battery-powered wi-fi enabled computer with a 3G modem attached) in a parcel to a member of staff in a business.  The device will ‘sniff’ a company’s network for wireless access points and other data worth stealing.  These devices can then be used to gain a ‘foothold’ on internal network traffic, or even be used as a separate network which employees may be enticed to connect to.  Given the easy availability of such technology, it is easy to see how attacks of this nature may become commonplace.  This also illustrates precisely why pen-testing must be a rolling process; as new methods of attack are constantly being uncovered.

Web application testing

If your organisation uses third-party or internally developed web-based business applications, either for clients, customers, business partners, or employees, these will also need to be pen tested to ensure no vulnerabilities exist.  The reason for this is that web applications form a bridge between the outside world and your internal data, and as such, if developed (coded) in a manner which is not fully secure, hackers can use that poor development practice to their advantage.  Web applications must prevent access to back end systems by using best practice coding, but unfortunately, this sometimes not the case, especially for in-house developed systems.  It may then be possible for an attacker to use ‘cross-site scripting’ (XSS) methods to alter a client-side JavaScript to bring back data from your internal database which the web application was never designed to do.  Effective pen testing will also check whether an outside actor can carry out a ‘SQL injection attack’ (whereby they read, write, delete, change, or corrupt data in your business database/s).

Social engineering testing

The final and often overlooked aspect of pen testing is in the area of social engineering.  While you may have all of the technology necessary to protect your organisation, if a member of staff can be unwittingly duped into revealing sensitive corporate information, your business is exposed.  Social engineering pen testing aims to test the compliance of your staff with existing rules, policies, and procedures intended to prevent such an occurrence.  In doing so, a pen tester may deliberately target a member of staff to see how susceptible your law firm is to a social engineering attack.

It is important, however, to ensure that any pen testing which involves people, as opposed to systems, is done in way which doesn’t cast blame or compromise their role in any way.  This is not the intention of this exercise and can have unintended implications.  While this is a necessary test, it should not come at the cost of undermining confidence in the organisation or its management.

In conclusion

Pen testing is a vital exercise for all law firms, ensuring that its investment in cyber security is borne out by the ability to prevent real-life attempted attacks.  By tacking pen-testing at all levels of vulnerability, your law firm will be ahead of many others who have yet to implement such processes.  Lack of skills and resources should not be a barrier to pen-testing.  You may opt to employ specialist in-house for this exercise or contract a third-party managed service security provider (MSSP) to do this for you.  And there is also the possibility of a hybrid approach whereby an inhouse team use third-party cloud-based tools – thus avoiding the need to install, maintain and manage cyber security testing platforms in-house; which for smaller organisations will save considerable time and help manage costs.  Whichever approach you need to take, now is the time to review your firm’s approach to pen testing, before it is too late.